Callers of JSString::getIndex should check for OOM exceptions
[WebKit-https.git] / JSTests / ChangeLog
1 2018-12-14  Keith Miller  <keith_miller@apple.com>
2
3         Callers of JSString::getIndex should check for OOM exceptions
4         https://bugs.webkit.org/show_bug.cgi?id=192709
5
6         Reviewed by Mark Lam.
7
8         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
9
10 2018-12-13  Mark Lam  <mark.lam@apple.com>
11
12         Add a missing exception check.
13         https://bugs.webkit.org/show_bug.cgi?id=192626
14         <rdar://problem/46662163>
15
16         Reviewed by Keith Miller.
17
18         * stress/regress-192626.js: Added.
19
20 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
21
22         [BigInt] Add ValueDiv into DFG
23         https://bugs.webkit.org/show_bug.cgi?id=186178
24
25         Reviewed by Yusuke Suzuki.
26
27         * stress/big-int-div-jit-osr.js: Added.
28         * stress/big-int-div-jit-untyped.js: Added.
29         * stress/value-div-fixup-int32-big-int.js: Added.
30
31 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
32
33         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
34         https://bugs.webkit.org/show_bug.cgi?id=190047
35
36         Reviewed by Keith Miller.
37
38         * stress/object-keys-cached-zero.js: Added.
39         (shouldBe):
40         (test):
41         * stress/object-keys-changed-attribute.js: Added.
42         (shouldBe):
43         (test):
44         * stress/object-keys-changed-index.js: Added.
45         (shouldBe):
46         (test):
47         * stress/object-keys-changed.js: Added.
48         (shouldBe):
49         (test):
50         * stress/object-keys-indexed-non-cache.js: Added.
51         (shouldBe):
52         (test):
53         * stress/object-keys-overrides-get-property-names.js: Added.
54         (shouldBe):
55         (test):
56         (noInline):
57
58 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
59
60         [DFG][FTL] Add NewSymbol
61         https://bugs.webkit.org/show_bug.cgi?id=192620
62
63         Reviewed by Saam Barati.
64
65         * microbenchmarks/symbol-creation.js: Added.
66         (test):
67         * stress/symbol-description-identity.js: Added.
68         (shouldBe):
69         (test):
70         * stress/symbol-identity.js: Added.
71         (shouldBe):
72         (test):
73         * stress/symbol-with-description-throw-error.js: Added.
74         (shouldBe):
75         (shouldThrow):
76         (test):
77         (object.toString):
78
79 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
80
81         [BigInt] Implement DFG/FTL typeof for BigInt
82         https://bugs.webkit.org/show_bug.cgi?id=192619
83
84         Reviewed by Keith Miller.
85
86         * stress/big-int-boolean-proven-type.js: Added.
87         (assert):
88         (bool):
89         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
90         (assert):
91         (typeOf):
92         (i.switch):
93         * stress/big-int-type-of-proven-type-non-constant.js: Added.
94         (assert):
95         (typeOf):
96         * stress/big-int-type-of.js:
97         (typeOf):
98         (func):
99
100 2018-12-10  Mark Lam  <mark.lam@apple.com>
101
102         PropertyAttribute needs a CustomValue bit.
103         https://bugs.webkit.org/show_bug.cgi?id=191993
104         <rdar://problem/46264467>
105
106         Reviewed by Saam Barati.
107
108         * stress/regress-191993.js: Added.
109
110 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
111
112         [BigInt] Add ValueMul into DFG
113         https://bugs.webkit.org/show_bug.cgi?id=186175
114
115         Reviewed by Yusuke Suzuki.
116
117         * stress/big-int-mul-jit-osr.js: Added.
118         * stress/big-int-mul-jit-untyped.js: Added.
119         * stress/value-mul-fixup-int32-big-int.js: Added.
120
121 2018-12-06  Keith Miller  <keith_miller@apple.com>
122
123         stress/big-wasm-memory tests failing on 32-bit JSC bot
124         https://bugs.webkit.org/show_bug.cgi?id=192020
125
126         Reviewed by Saam Barati.
127
128         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
129         the wasm stress tests if the WebAssembly object does not exist.
130
131         * stress/big-wasm-memory-grow-no-max.js:
132         (test.foo):
133         (test):
134         (foo): Deleted.
135         (catch): Deleted.
136         * stress/big-wasm-memory-grow.js:
137         (test.foo):
138         (test):
139         (foo): Deleted.
140         (catch): Deleted.
141         * stress/big-wasm-memory.js:
142         (test.foo):
143         (test):
144         (foo): Deleted.
145         (catch): Deleted.
146
147 2018-12-05  Mark Lam  <mark.lam@apple.com>
148
149         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
150         https://bugs.webkit.org/show_bug.cgi?id=192441
151         <rdar://problem/46480355>
152
153         Reviewed by Saam Barati.
154
155         * stress/regress-192441.js: Added.
156
157 2018-12-04  Mark Lam  <mark.lam@apple.com>
158
159         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
160         https://bugs.webkit.org/show_bug.cgi?id=192386
161         <rdar://problem/46445516>
162
163         Reviewed by Saam Barati.
164
165         * stress/regress-192386.js: Added.
166
167 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
168
169         [ESNext][BigInt] Support logic operations
170         https://bugs.webkit.org/show_bug.cgi?id=179903
171
172         Reviewed by Yusuke Suzuki.
173
174         * stress/big-int-branch-usage.js: Added.
175         * stress/big-int-logical-and.js: Added.
176         * stress/big-int-logical-not.js: Added.
177         * stress/big-int-logical-or.js: Added.
178
179 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
180
181         Unreviewed, rolling out r238833.
182
183         Breaks macOS and iOS debug builds.
184
185         Reverted changeset:
186
187         "[ESNext][BigInt] Support logic operations"
188         https://bugs.webkit.org/show_bug.cgi?id=179903
189         https://trac.webkit.org/changeset/238833
190
191 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
192
193         [ESNext][BigInt] Support logic operations
194         https://bugs.webkit.org/show_bug.cgi?id=179903
195
196         Reviewed by Yusuke Suzuki.
197
198         * stress/big-int-branch-usage.js: Added.
199         * stress/big-int-logical-and.js: Added.
200         * stress/big-int-logical-not.js: Added.
201         * stress/big-int-logical-or.js: Added.
202
203 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
204
205         [ESNext][BigInt] Implement support for "<<" and ">>"
206         https://bugs.webkit.org/show_bug.cgi?id=186233
207
208         Reviewed by Yusuke Suzuki.
209
210         * stress/big-int-left-shift-general.js: Added.
211         * stress/big-int-left-shift-range-error.js: Added.
212         * stress/big-int-left-shift-type-error.js: Added.
213         * stress/big-int-left-shift-wrapped-value.js: Added.
214         * stress/big-int-right-shift-general.js: Added.
215         * stress/big-int-right-shift-type-error.js: Added.
216         * stress/big-int-right-shift-wrapped-value.js: Added.
217         * stress/left-shift-to-primitive-precedence.js: Added.
218         * stress/right-shift-to-primitive-precedence.js: Added.
219
220 2018-11-30  Dean Jackson  <dino@apple.com>
221
222         Add first-class support for .mjs files in jsc binary
223         https://bugs.webkit.org/show_bug.cgi?id=192190
224         <rdar://problem/46375715>
225
226         Reviewed by Keith Miller.
227
228         * stress/simple-module.mjs: Added.
229         * stress/simple-script.js: Added.
230
231 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
232
233         [BigInt] Implement ValueBitXor into DFG
234         https://bugs.webkit.org/show_bug.cgi?id=190264
235
236         Reviewed by Yusuke Suzuki.
237
238         * stress/big-int-bitwise-xor-jit.js: Added.
239         * stress/big-int-bitwise-xor-memory-stress.js: Added.
240         * stress/big-int-bitwise-xor-untyped.js: Added.
241
242 2018-11-27  Saam barati  <sbarati@apple.com>
243
244         r238510 broke scopes of size zero
245         https://bugs.webkit.org/show_bug.cgi?id=192033
246         <rdar://problem/46281734>
247
248         Reviewed by Keith Miller.
249
250         * stress/r238510-bad-loop.js: Added.
251         (foo):
252
253 2018-11-27  Mark Lam  <mark.lam@apple.com>
254
255         [Re-landing] NaNs read from Wasm code needs to be be purified.
256         https://bugs.webkit.org/show_bug.cgi?id=191056
257         <rdar://problem/45660341>
258
259         Reviewed by Filip Pizlo.
260
261         * wasm/regress/regress-191056.js: Added.
262
263 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
264
265         Unreviewed, rolling out r238509.
266
267         Causes JSC tests to fail on iOS.
268
269         Reverted changeset:
270
271         "NaNs read from Wasm code needs to be be purified."
272         https://bugs.webkit.org/show_bug.cgi?id=191056
273         https://trac.webkit.org/changeset/238509
274
275 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
276
277         Re-introduce op_bitnot
278         https://bugs.webkit.org/show_bug.cgi?id=190923
279
280         Reviewed by Yusuke Suzuki.
281
282         * stress/bit-not-must-generate.js: Added.
283         * stress/bitwise-not-no-int32.js: Added.
284
285 2018-11-26  Saam barati  <sbarati@apple.com>
286
287         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
288         https://bugs.webkit.org/show_bug.cgi?id=191956
289         <rdar://problem/45665806>
290
291         Reviewed by Yusuke Suzuki.
292
293         * stress/end-basic-block-set-local-should-filter-type.js: Added.
294         (bar):
295         (foo):
296
297 2018-11-26  Saam barati  <sbarati@apple.com>
298
299         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
300         https://bugs.webkit.org/show_bug.cgi?id=191958
301         <rdar://problem/46221877>
302
303         Reviewed by Yusuke Suzuki.
304
305         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
306         (x):
307         (foo):
308
309 2018-11-26  Mark Lam  <mark.lam@apple.com>
310
311         NaNs read from Wasm code needs to be be purified.
312         https://bugs.webkit.org/show_bug.cgi?id=191056
313         <rdar://problem/45660341>
314
315         Reviewed by Filip Pizlo.
316
317         * wasm/regress/regress-191056.js: Added.
318
319 2018-11-26  Michael Saboff  <msaboff@apple.com>
320
321         32-bit JSC test failure: stress/regexp-compile-oom.js
322         https://bugs.webkit.org/show_bug.cgi?id=191375
323
324         Reviewed by Mark Lam.
325
326         Disabled the test for 32 bit platforms.
327
328         * stress/regexp-compile-oom.js:
329
330 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
331
332         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
333         https://bugs.webkit.org/show_bug.cgi?id=191716
334         <rdar://problem/45723878>
335
336         Reviewed by Saam Barati.
337
338         * stress/regress-187373.js: Added.
339         (async.fn):
340
341 2018-11-21  Saam barati  <sbarati@apple.com>
342
343         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
344         https://bugs.webkit.org/show_bug.cgi?id=191897
345         <rdar://problem/45871998>
346
347         Reviewed by Mark Lam.
348
349         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
350         (bar):
351         (foo):
352
353 2018-11-21  Saam barati  <sbarati@apple.com>
354
355         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
356         https://bugs.webkit.org/show_bug.cgi?id=191895
357         <rdar://problem/46167406>
358
359         Reviewed by Mark Lam.
360
361         * stress/known-cell-use-needs-type-check-assertion.js: Added.
362         (foo):
363         (bar):
364
365 2018-11-21  Mark Lam  <mark.lam@apple.com>
366
367         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
368         https://bugs.webkit.org/show_bug.cgi?id=191776
369         <rdar://problem/46152851>
370
371         Reviewed by Saam Barati.
372
373         * stress/big-wasm-memory-grow-no-max.js:
374         * stress/big-wasm-memory-grow.js:
375         * stress/big-wasm-memory.js:
376         - updated these to expect an OutOfMemoryError.
377
378         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
379         (Binary.prototype.emit_u8):
380         (Binary.prototype.emit_u32v):
381         (Binary.prototype.emit_header):
382         (Binary.prototype.emit_section):
383         (Binary):
384         (WasmModuleBuilder):
385         (WasmModuleBuilder.prototype.addMemory):
386         (WasmModuleBuilder.prototype.toArray):
387         (WasmModuleBuilder.prototype.toBuffer):
388         (WasmModuleBuilder.prototype.instantiate):
389         (catch):
390         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
391         (catch):
392
393 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
394
395         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
396         https://bugs.webkit.org/show_bug.cgi?id=190836
397
398         Reviewed by Saam Barati and Yusuke Suzuki.
399
400         * stress/big-int-out-of-memory-tests.js: Added.
401
402 2018-11-20  Mark Lam  <mark.lam@apple.com>
403
404         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
405         https://bugs.webkit.org/show_bug.cgi?id=191856
406         <rdar://problem/46089992>
407
408         Reviewed by Yusuke Suzuki.
409
410         * stress/regress-191856.js: Added.
411         - this test is skipped for now until we have a fix for webkit.org/b/191855.
412
413 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
414
415         Enable JIT on ARM/Linux
416         https://bugs.webkit.org/show_bug.cgi?id=191548
417
418         Reviewed by Yusuke Suzuki.
419
420         Disable test on system with limited memory. Program was killed by
421         the OS before the exception was thrown.
422
423         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
424
425 2018-11-20  Saam barati  <sbarati@apple.com>
426
427         Merging an IC variant may lead to the IC status containing overlapping structure sets
428         https://bugs.webkit.org/show_bug.cgi?id=191869
429         <rdar://problem/45403453>
430
431         Reviewed by Mark Lam.
432
433         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
434
435 2018-11-19  Mark Lam  <mark.lam@apple.com>
436
437         globalFuncImportModule() should return a promise when it clears exceptions.
438         https://bugs.webkit.org/show_bug.cgi?id=191792
439         <rdar://problem/46090763>
440
441         Reviewed by Michael Saboff.
442
443         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
444
445 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
446
447         Skip new memory-hungry tests on memory limited devices
448
449         Unreviewed gardening.
450
451         * stress/big-wasm-memory-grow-no-max.js:
452         * stress/big-wasm-memory-grow.js:
453         * stress/big-wasm-memory.js:
454
455 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
456
457         Unreviewed, rolling in the rest of r237254
458         https://bugs.webkit.org/show_bug.cgi?id=190340
459
460         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
461         * stress/function-cache-with-parameters-end-position.js: Added.
462         (shouldBe):
463         (shouldThrow):
464         (i.anonymous):
465         * stress/function-constructor-name.js: Added.
466         (shouldBe):
467         (GeneratorFunction):
468         (AsyncFunction.async):
469         (AsyncGeneratorFunction.async):
470         (anonymous):
471         (async.anonymous):
472         * test262/expectations.yaml:
473
474 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
475
476         All users of ArrayBuffer should agree on the same max size
477         https://bugs.webkit.org/show_bug.cgi?id=191771
478
479         Reviewed by Mark Lam.
480
481         * stress/big-wasm-memory-grow-no-max.js: Added.
482         (foo):
483         (catch):
484         * stress/big-wasm-memory-grow.js: Added.
485         (foo):
486         (catch):
487         * stress/big-wasm-memory.js: Added.
488         (foo):
489         (catch):
490
491 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
492
493         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
494         run for each JSC config since they're regression tests for runtime bugs.
495
496         * stress/json-stringified-overflow-2.js:
497         * stress/json-stringified-overflow.js:
498
499 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
500
501         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
502         config since they're regression tests for runtime bugs.
503
504         * stress/large-unshift-splice.js:
505         * stress/regress-185888.js:
506
507 2018-11-16  Saam Barati  <sbarati@apple.com>
508
509         KnownCellUse should also have SpecCellCheck as its type filter
510         https://bugs.webkit.org/show_bug.cgi?id=191729
511         <rdar://problem/45872852>
512
513         Reviewed by Filip Pizlo.
514
515         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
516         (C):
517
518 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
519
520         Fix assertion failure on BytecodeGenerator::recordOpcode
521         https://bugs.webkit.org/show_bug.cgi?id=191724
522         <rdar://problem/45724395>
523
524         Reviewed by Saam Barati.
525
526         * stress/regress-187373-2.js: Added.
527         (foo):
528
529 2018-11-15  Mark Lam  <mark.lam@apple.com>
530
531         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
532         https://bugs.webkit.org/show_bug.cgi?id=191730
533         <rdar://problem/46048517>
534
535         Reviewed by Saam Barati.
536
537         * stress/regress-187006.js: Removed.
538           - this test is invalid because its sole purpose is to test for the non-spec
539             compliant behavior that we just fixed.
540
541         * stress/regress-191730.js: Added.
542
543 2018-11-15  Mark Lam  <mark.lam@apple.com>
544
545         RegExp operations should not take fast patch if lastIndex is not numeric.
546         https://bugs.webkit.org/show_bug.cgi?id=191731
547         <rdar://problem/46017305>
548
549         Reviewed by Saam Barati.
550
551         * stress/regress-191731.js: Added.
552
553 2018-11-13  Saam Barati  <sbarati@apple.com>
554
555         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
556         https://bugs.webkit.org/show_bug.cgi?id=191600
557
558         Reviewed by Mark Lam.
559
560         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
561         (foo):
562         (test):
563         (bar):
564
565 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
566
567         Unreviewed, rolling out r238132.
568
569         The test added with this change is timing out on Debug JSC
570         bots.
571
572         Reverted changeset:
573
574         "[BigInt] JSBigInt::createWithLength should throw when length
575         is greater than JSBigInt::maxLength"
576         https://bugs.webkit.org/show_bug.cgi?id=190836
577         https://trac.webkit.org/changeset/238132
578
579 2018-11-13  Mark Lam  <mark.lam@apple.com>
580
581         Add OOM detection to StringPrototype's substituteBackreferences().
582         https://bugs.webkit.org/show_bug.cgi?id=191563
583         <rdar://problem/45720428>
584
585         Reviewed by Saam Barati.
586
587         * stress/regress-191563.js: Added.
588
589 2018-11-13  Mark Lam  <mark.lam@apple.com>
590
591         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
592         https://bugs.webkit.org/show_bug.cgi?id=191579
593         <rdar://problem/45942472>
594
595         Reviewed by Saam Barati.
596
597         * stress/regress-191579.js: Added.
598
599 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
600
601         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
602         https://bugs.webkit.org/show_bug.cgi?id=190836
603
604         Reviewed by Saam Barati.
605
606         * stress/big-int-out-of-memory-tests.js: Added.
607
608 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
609
610         U+180E is no longer a whitespace character
611         https://bugs.webkit.org/show_bug.cgi?id=191415
612
613         Reviewed by Saam Barati.
614
615         * ChakraCore/test/es5/regexSpace.baseline:
616         * ChakraCore/test/es6/unicode_whitespace.js:
617         Update tests to latest version.
618         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
619
620         * test262.yaml:
621         * test262/config.yaml:
622         * test262/expectations.yaml:
623         Update expectations.
624
625 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
626
627         [BigInt] Add support to BigInt into ValueAdd
628         https://bugs.webkit.org/show_bug.cgi?id=186177
629
630         Reviewed by Keith Miller.
631
632         * stress/big-int-negate-jit.js:
633         * stress/value-add-big-int-and-string.js: Added.
634         * stress/value-add-big-int-prediction-propagation.js: Added.
635         * stress/value-add-big-int-untyped.js: Added.
636
637 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
638
639         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
640         https://bugs.webkit.org/show_bug.cgi?id=191184
641
642         Reviewed by Saam Barati.
643
644         Most tests were failing due to timeouts, since they are too slow to
645         run on CLoop. The exceptions are:
646
647         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
648         dont-crash-on-stack-overflow-when-parsing-builtin.js and
649         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
650         to change the stack size since CLoop requires it to be page aligned.
651
652         * microbenchmarks/array-push-1.js:
653         * microbenchmarks/array-push-2.js:
654         * microbenchmarks/elidable-new-object-dag.js:
655         * microbenchmarks/elidable-new-object-roflcopter.js:
656         * microbenchmarks/elidable-new-object-tree.js:
657         * microbenchmarks/getter-richards.js:
658         * microbenchmarks/sinkable-new-object-dag.js:
659         * microbenchmarks/string-concat-long-convert.js:
660         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
661         * slowMicrobenchmarks/array-push-3.js:
662         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
663         * slowMicrobenchmarks/spread-small-array.js:
664         * slowMicrobenchmarks/undefined-property-access.js:
665         * stress/activation-sink-default-value-tdz-error.js:
666         * stress/activation-sink-default-value.js:
667         * stress/activation-sink-osrexit-default-value-tdz-error.js:
668         * stress/activation-sink-osrexit-default-value.js:
669         * stress/activation-sink-osrexit.js:
670         * stress/activation-sink.js:
671         * stress/allow-math-ic-b3-code-duplication.js:
672         * stress/array-push-multiple-int32.js:
673         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
674         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
675         * stress/arrowfunction-lexical-this-activation-sink.js:
676         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
677         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
678         * stress/elide-new-object-dag-then-exit.js:
679         * stress/materialize-regexp-cyclic.js:
680         * stress/new-regex-inline.js:
681         * stress/op_add.js:
682         * stress/op_bitand.js:
683         * stress/op_bitor.js:
684         * stress/op_bitxor.js:
685         * stress/op_div-ConstVar.js:
686         * stress/op_div-VarConst.js:
687         * stress/op_div-VarVar.js:
688         * stress/op_lshift-ConstVar.js:
689         * stress/op_lshift-VarConst.js:
690         * stress/op_lshift-VarVar.js:
691         * stress/op_mod-ConstVar.js:
692         * stress/op_mod-VarConst.js:
693         * stress/op_mod-VarVar.js:
694         * stress/op_mul-ConstVar.js:
695         * stress/op_mul-VarConst.js:
696         * stress/op_mul-VarVar.js:
697         * stress/op_rshift-ConstVar.js:
698         * stress/op_rshift-VarConst.js:
699         * stress/op_rshift-VarVar.js:
700         * stress/op_sub-ConstVar.js:
701         * stress/op_sub-VarConst.js:
702         * stress/op_sub-VarVar.js:
703         * stress/op_urshift-ConstVar.js:
704         * stress/op_urshift-VarConst.js:
705         * stress/op_urshift-VarVar.js:
706         * stress/proxy-get-set-correct-receiver.js:
707         * stress/regress-179562.js:
708         * stress/rest-parameter-many-arguments.js:
709         * stress/sampling-profiler-richards.js:
710         * stress/splay-flash-access-1ms.js:
711         * stress/tailCallForwardArguments.js:
712         * stress/typed-array-get-by-val-profiling.js:
713         * typeProfiler/getter-richards.js:
714
715 2018-11-06  Michael Saboff  <msaboff@apple.com>
716
717         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
718         https://bugs.webkit.org/show_bug.cgi?id=191271
719
720         Reviewed by Saam Barati.
721
722         Added more test cases and made all test cases run with the same deeply recursive stack
723         instead of finding that same point for each test case.
724
725         * stress/regexp-compile-oom.js:
726         (prototype.runTest):
727         (recurseAndTest):
728         (testList.push.new.TestAndExpectedException):
729
730 2018-11-05  Michael Saboff  <msaboff@apple.com>
731
732         Unreviewed build fix for linux.
733
734         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
735
736 2018-11-02  Michael Saboff  <msaboff@apple.com>
737
738         Rolling in r237753 with unreviewed build fix.
739
740         Fixed issues with DECLARE_THROW_SCOPE placement.
741
742 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
743
744         Unreviewed, rolling out r237753.
745
746         Introduced JSC test failures
747
748         Reverted changeset:
749
750         "Running out of stack space not properly handled in
751         RegExp::compile() and its callers"
752         https://bugs.webkit.org/show_bug.cgi?id=191206
753         https://trac.webkit.org/changeset/237753
754
755 2018-11-02  Michael Saboff  <msaboff@apple.com>
756
757         Running out of stack space not properly handled in RegExp::compile() and its callers
758         https://bugs.webkit.org/show_bug.cgi?id=191206
759
760         Reviewed by Filip Pizlo.
761
762         New regression test.
763
764         * stress/regexp-compile-oom.js: Added.
765         (recurseAndTest):
766
767 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
768
769         Skip tests on arm/mips that time out now we're running on CLoop
770
771         Unreviewed gardening.
772
773         Since the JIT is temporarily disabled on 32-bit platforms, these tests
774         time out on the bots and need to be disabled. There's more tests
775         disabled on arm because the timeout is longer on the mips bot (as the
776         device is slower to start with), so many of the tests don't time out
777         there.
778
779         * microbenchmarks/getter-richards.js: disable on arm and mips.
780         * stress/op_add.js: disable on arm.
781         * stress/op_bitand.js: disable on arm.
782         * stress/op_bitor.js: disable on arm.
783         * stress/op_bitxor.js: disable on arm.
784         * stress/op_lshift-ConstVar.js: disable on arm.
785         * stress/op_lshift-VarConst.js: disable on arm.
786         * stress/op_lshift-VarVar.js: disable on arm.
787         * stress/op_mod-ConstVar.js: disable on arm.
788         * stress/op_mod-VarConst.js: disable on arm.
789         * stress/op_mod-VarVar.js: disable on arm.
790         * stress/op_mul-ConstVar.js: disable on arm.
791         * stress/op_mul-VarConst.js: disable on arm.
792         * stress/op_mul-VarVar.js: disable on arm.
793         * stress/op_rshift-ConstVar.js: disable on arm.
794         * stress/op_rshift-VarConst.js: disable on arm.
795         * stress/op_rshift-VarVar.js: disable on arm.
796         * stress/op_sub-ConstVar.js: disable on arm.
797         * stress/op_sub-VarConst.js: disable on arm.
798         * stress/op_sub-VarVar.js: disable on arm.
799         * stress/op_urshift-ConstVar.js: disable on arm.
800         * stress/op_urshift-VarConst.js: disable on arm.
801         * stress/op_urshift-VarVar.js: disable on arm.
802         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
803         * stress/value-to-boolean.js: disable on arm and mips.
804
805 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
806
807         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
808         https://bugs.webkit.org/show_bug.cgi?id=191108
809         <rdar://problem/45690700>
810
811         Reviewed by Saam Barati.
812
813         * stress/wide-op_catch.js: Added.
814         (catch):
815
816 2018-10-29  Mark Lam  <mark.lam@apple.com>
817
818         Correctly detect string overflow when using the 'Function' constructor.
819         https://bugs.webkit.org/show_bug.cgi?id=184883
820         <rdar://problem/36320331>
821
822         Reviewed by Saam Barati.
823
824         I've verified that this passes on 32-bit as well.
825
826         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
827
828 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
829
830         Add support for GetStack FlushedDouble
831         https://bugs.webkit.org/show_bug.cgi?id=191012
832         <rdar://problem/45265141>
833
834         Reviewed by Saam Barati.
835
836         * stress/get-stack-double.js: Added.
837         (bar):
838         (noInline):
839
840 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
841
842         New bytecode format for JSC
843         https://bugs.webkit.org/show_bug.cgi?id=187373
844         <rdar://problem/44186758>
845
846         Reviewed by Filip Pizlo.
847
848         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
849
850         * stress/maximum-inline-capacity.js: Added.
851         (test1):
852         (test3.Foo):
853         (test3):
854
855 2018-10-26  Commit Queue  <commit-queue@webkit.org>
856
857         Unreviewed, rolling out r237479 and r237484.
858         https://bugs.webkit.org/show_bug.cgi?id=190978
859
860         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
861
862         Reverted changesets:
863
864         "New bytecode format for JSC"
865         https://bugs.webkit.org/show_bug.cgi?id=187373
866         https://trac.webkit.org/changeset/237479
867
868         "Gardening: Build fix after r237479."
869         https://bugs.webkit.org/show_bug.cgi?id=187373
870         https://trac.webkit.org/changeset/237484
871
872 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
873
874         New bytecode format for JSC
875         https://bugs.webkit.org/show_bug.cgi?id=187373
876         <rdar://problem/44186758>
877
878         Reviewed by Filip Pizlo.
879
880         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
881
882         * stress/maximum-inline-capacity.js: Added.
883         (test1):
884         (test3.Foo):
885         (test3):
886
887 2018-10-26  Mark Lam  <mark.lam@apple.com>
888
889         Fix missing edge cases with JSGlobalObjects having a bad time.
890         https://bugs.webkit.org/show_bug.cgi?id=189028
891         <rdar://problem/45204939>
892
893         Reviewed by Saam Barati.
894
895         * stress/regress-189028.js: Added.
896
897 2018-10-22  Mark Lam  <mark.lam@apple.com>
898
899         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
900         https://bugs.webkit.org/show_bug.cgi?id=190515
901         <rdar://problem/45222379>
902
903         Rubber-stamped by Saam Barati.
904
905         Adding another test.
906
907         * stress/regress-190515-2.js: Added.
908
909 2018-10-22  Mark Lam  <mark.lam@apple.com>
910
911         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
912         https://bugs.webkit.org/show_bug.cgi?id=190515
913         <rdar://problem/45222379>
914
915         Reviewed by Saam Barati.
916
917         * stress/regress-190515.js: Added.
918
919 2018-10-19  Commit Queue  <commit-queue@webkit.org>
920
921         Unreviewed, rolling out r237254.
922         https://bugs.webkit.org/show_bug.cgi?id=190760
923
924         "It regresses JetStream 2 by 5% on some iOS devices"
925         (Requested by saamyjoon on #webkit).
926
927         Reverted changeset:
928
929         "[JSC] JSC should have "parseFunction" to optimize Function
930         constructor"
931         https://bugs.webkit.org/show_bug.cgi?id=190340
932         https://trac.webkit.org/changeset/237254
933
934 2018-10-19  Saam Barati  <sbarati@apple.com>
935
936         vmCall should check if we exit before emitting an OSR exit due to exceptions
937         https://bugs.webkit.org/show_bug.cgi?id=190740
938         <rdar://problem/45220139>
939
940         Reviewed by Mark Lam.
941
942         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
943         (foo):
944
945 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
946
947         [ESNext][BigInt] Implement support for "^"
948         https://bugs.webkit.org/show_bug.cgi?id=186235
949
950         Reviewed by Yusuke Suzuki.
951
952         * stress/big-int-bitwise-xor-general.js: Added.
953         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
954         * stress/big-int-bitwise-xor-type-error.js: Added.
955         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
956
957 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
958
959         [BigInt] Add ValueSub into DFG
960         https://bugs.webkit.org/show_bug.cgi?id=186176
961
962         Reviewed by Yusuke Suzuki.
963
964         * stress/big-int-subtraction-jit.js:
965         * stress/value-sub-big-int-prediction-propagation.js: Added.
966         * stress/value-sub-big-int-untyped.js: Added.
967         * stress/value-sub-spec-none-case.js: Added.
968
969 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
970
971         [JSC] JSC should have "parseFunction" to optimize Function constructor
972         https://bugs.webkit.org/show_bug.cgi?id=190340
973
974         Reviewed by Mark Lam.
975
976         This patch fixes the line number of syntax errors raised by the Function constructor,
977         since we now parse the final code only once. And we no longer use block statement
978         for Function constructor's parsing.
979
980         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
981         * stress/function-cache-with-parameters-end-position.js: Added.
982         (shouldBe):
983         (shouldThrow):
984         (i.anonymous):
985         * stress/function-constructor-name.js: Added.
986         (shouldBe):
987         (GeneratorFunction):
988         (AsyncFunction.async):
989         (AsyncGeneratorFunction.async):
990         (anonymous):
991         (async.anonymous):
992         * test262/expectations.yaml:
993
994 2018-10-18  Commit Queue  <commit-queue@webkit.org>
995
996         Unreviewed, rolling out r237242.
997         https://bugs.webkit.org/show_bug.cgi?id=190701
998
999         it breaks "stress/sampling-profiler-basic.js" (Requested by
1000         caiolima on #webkit).
1001
1002         Reverted changeset:
1003
1004         "[BigInt] Add ValueSub into DFG"
1005         https://bugs.webkit.org/show_bug.cgi?id=186176
1006         https://trac.webkit.org/changeset/237242
1007
1008 2018-10-17  Keith Miller  <keith_miller@apple.com>
1009
1010         AI does not clear Phantom allocation nodes.
1011         https://bugs.webkit.org/show_bug.cgi?id=190694
1012
1013         Reviewed by Saam Barati.
1014
1015         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
1016         (Day):
1017         (DaysInYear):
1018         (TimeInYear):
1019         (TimeFromYear):
1020         (DayFromYear):
1021         (InLeapYear):
1022         (YearFromTime):
1023         (WeekDay):
1024         (DaylightSavingTA):
1025         (GetSecondSundayInMarch):
1026         (TimeInMonth):
1027
1028 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
1029
1030         [BigInt] Add ValueSub into DFG
1031         https://bugs.webkit.org/show_bug.cgi?id=186176
1032
1033         Reviewed by Yusuke Suzuki.
1034
1035         * stress/big-int-subtraction-jit.js:
1036         * stress/value-sub-big-int-prediction-propagation.js: Added.
1037         * stress/value-sub-big-int-untyped.js: Added.
1038
1039 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
1040
1041         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
1042         https://bugs.webkit.org/show_bug.cgi?id=190611
1043
1044         Reviewed by Saam Barati.
1045
1046         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
1047         to improve test runtime. On ARM/MIPS this test even timed out when running all
1048         tests.
1049
1050         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1051         (test):
1052
1053 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
1054
1055         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
1056
1057         Unreviewed gardening.
1058
1059         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
1060
1061 2018-10-15  Saam barati  <sbarati@apple.com>
1062
1063         Emit fjcvtzs on ARM64E on Darwin
1064         https://bugs.webkit.org/show_bug.cgi?id=184023
1065
1066         Reviewed by Yusuke Suzuki and Filip Pizlo.
1067
1068         * stress/double-to-int32-NaN.js: Added.
1069         (assert):
1070         (foo):
1071
1072 2018-10-15  Saam Barati  <sbarati@apple.com>
1073
1074         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
1075         https://bugs.webkit.org/show_bug.cgi?id=190262
1076         <rdar://problem/44986241>
1077
1078         Reviewed by Mark Lam.
1079
1080         * stress/array-prototype-concat-of-long-spliced-arrays.js:
1081         (test):
1082         * stress/slice-array-storage-with-holes.js: Added.
1083         (main):
1084
1085 2018-10-15  Commit Queue  <commit-queue@webkit.org>
1086
1087         Unreviewed, rolling out r237054.
1088         https://bugs.webkit.org/show_bug.cgi?id=190593
1089
1090         "this regressed JetStream 2 by 6% on iOS" (Requested by
1091         saamyjoon on #webkit).
1092
1093         Reverted changeset:
1094
1095         "[JSC] JSC should have "parseFunction" to optimize Function
1096         constructor"
1097         https://bugs.webkit.org/show_bug.cgi?id=190340
1098         https://trac.webkit.org/changeset/237054
1099
1100 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1101
1102         [JSC] JSON.stringify can accept call-with-no-arguments
1103         https://bugs.webkit.org/show_bug.cgi?id=190343
1104
1105         Reviewed by Mark Lam.
1106
1107         * stress/json-stringify-no-arguments.js: Added.
1108         (shouldBe):
1109
1110 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1111
1112         [JSC] JSC should have "parseFunction" to optimize Function constructor
1113         https://bugs.webkit.org/show_bug.cgi?id=190340
1114
1115         Reviewed by Mark Lam.
1116
1117         This patch fixes the line number of syntax errors raised by the Function constructor,
1118         since we now parse the final code only once. And we no longer use block statement
1119         for Function constructor's parsing.
1120
1121         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
1122         * stress/function-cache-with-parameters-end-position.js: Added.
1123         (shouldBe):
1124         (shouldThrow):
1125         (i.anonymous):
1126         * stress/function-constructor-name.js: Added.
1127         (shouldBe):
1128         (GeneratorFunction):
1129         (AsyncFunction.async):
1130         (AsyncGeneratorFunction.async):
1131         (anonymous):
1132         (async.anonymous):
1133         * test262/expectations.yaml:
1134
1135 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
1136
1137         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
1138         https://bugs.webkit.org/show_bug.cgi?id=190426
1139
1140         Unreviewed gardening.
1141
1142         * stress/sampling-profiler-richards.js:
1143
1144 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
1145
1146         [ESNext][BigInt] Implement support for "|"
1147         https://bugs.webkit.org/show_bug.cgi?id=186229
1148
1149         Reviewed by Yusuke Suzuki.
1150
1151         * stress/big-int-bitwise-and-jit.js:
1152         * stress/big-int-bitwise-or-general.js: Added.
1153         * stress/big-int-bitwise-or-jit-untyped.js: Added.
1154         * stress/big-int-bitwise-or-jit.js: Added.
1155         * stress/big-int-bitwise-or-memory-stress.js: Added.
1156         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
1157         * stress/big-int-bitwise-or-type-error.js: Added.
1158         * stress/big-int-bitwise-or-wrapped-value.js: Added.
1159
1160 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
1161
1162         Skip test on systems with limited memory
1163         https://bugs.webkit.org/show_bug.cgi?id=190310
1164
1165         Invoking runDefault adds test to runlist, skipping the test in the next
1166         line does not prevent the test from executing. Change order of lines such
1167         that runDefault is only executed if test is not executed.
1168
1169         Reviewed by Mark Lam.
1170
1171         * stress/regress-190187.js:
1172
1173 2018-10-03  Saam barati  <sbarati@apple.com>
1174
1175         lowXYZ in FTLLower should always filter the type of the incoming edge
1176         https://bugs.webkit.org/show_bug.cgi?id=189939
1177         <rdar://problem/44407030>
1178
1179         Reviewed by Michael Saboff.
1180
1181         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
1182         (foo):
1183         (test):
1184
1185 2018-10-03  Mark Lam  <mark.lam@apple.com>
1186
1187         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1188         https://bugs.webkit.org/show_bug.cgi?id=190187
1189         <rdar://problem/42512909>
1190
1191         Reviewed by Michael Saboff.
1192
1193         * stress/regress-190187.js: Added.
1194
1195 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1196
1197         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1198         https://bugs.webkit.org/show_bug.cgi?id=190033
1199
1200         Reviewed by Yusuke Suzuki.
1201
1202         * stress/big-int-to-string.js:
1203
1204 2018-10-01  Mark Lam  <mark.lam@apple.com>
1205
1206         Function.toString() should also copy the source code Functions that are class definitions.
1207         https://bugs.webkit.org/show_bug.cgi?id=190186
1208         <rdar://problem/44733360>
1209
1210         Reviewed by Saam Barati.
1211
1212         * stress/regress-190186.js: Added.
1213
1214 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
1215
1216         Split NaN-check into separate test
1217         https://bugs.webkit.org/show_bug.cgi?id=190010
1218
1219         Reviewed by Saam Barati.
1220
1221         DataView exposes NaN-representation, which is not necessarily the same on each
1222         architecture. Therefore move the check of the NaN-representation into its own
1223         file such that we can disable this test on MIPS where NaN-representation can be
1224         different on older CPUs.
1225
1226         * stress/dataview-jit-set-nan.js: Added.
1227         (assert):
1228         (test.storeLittleEndian):
1229         (test.storeBigEndian):
1230         (test.store):
1231         (test):
1232         * stress/dataview-jit-set.js:
1233         (test5):
1234
1235 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1236
1237         Unreviewed, rolling out r236647.
1238         https://bugs.webkit.org/show_bug.cgi?id=190124
1239
1240         Breaking test stress/big-int-to-string.js (Requested by
1241         caiolima_ on #webkit).
1242
1243         Reverted changeset:
1244
1245         "[BigInt] BigInt.proptotype.toString is broken when radix is
1246         power of 2"
1247         https://bugs.webkit.org/show_bug.cgi?id=190033
1248         https://trac.webkit.org/changeset/236647
1249
1250 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1251
1252         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1253         https://bugs.webkit.org/show_bug.cgi?id=190033
1254
1255         Reviewed by Yusuke Suzuki.
1256
1257         * stress/big-int-to-string.js:
1258
1259 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1260
1261         [ESNext][BigInt] Implement support for "&"
1262         https://bugs.webkit.org/show_bug.cgi?id=186228
1263
1264         Reviewed by Yusuke Suzuki.
1265
1266         * stress/big-int-bitwise-and-general.js: Added.
1267         (assert):
1268         (assert.sameValue):
1269         * stress/big-int-bitwise-and-jit.js: Added.
1270         (let.assert.sameValue):
1271         (bigIntBitAnd):
1272         * stress/big-int-bitwise-and-memory-stress.js: Added.
1273         (assert):
1274         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
1275         (assert.sameValue):
1276         (let.o.Symbol.toPrimitive):
1277         (catch):
1278         * stress/big-int-bitwise-and-type-error.js: Added.
1279         (assert):
1280         (assertThrowTypeError):
1281         (let.o.valueOf):
1282         (o.valueOf):
1283         (o.toString):
1284         (o.Symbol.toPrimitive):
1285         * stress/big-int-bitwise-and-wrapped-value.js: Added.
1286         (assert.sameValue):
1287         (testBitAnd):
1288         (let.o.Symbol.toPrimitive):
1289         (o.valueOf):
1290         (o.toString):
1291
1292 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
1293
1294         JSC test stress/jsc-read.js doesn't support CRLF
1295         https://bugs.webkit.org/show_bug.cgi?id=190063
1296
1297         Reviewed by Yusuke Suzuki.
1298
1299         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
1300
1301         * stress/jsc-read.js:
1302         (test):
1303
1304 2018-09-27  Saam barati  <sbarati@apple.com>
1305
1306         Verify the contents of AssemblerBuffer on arm64e
1307         https://bugs.webkit.org/show_bug.cgi?id=190057
1308         <rdar://problem/38916630>
1309
1310         Reviewed by Mark Lam.
1311
1312         * stress/regress-189132.js:
1313
1314 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
1315
1316         Disable test without LLInt on ARMv7
1317         https://bugs.webkit.org/show_bug.cgi?id=190037
1318
1319         Reviewed by Mark Lam.
1320
1321         Test runs out of executable memory on ARMv7, do not run
1322         this test without LLInt enabled.
1323
1324         * stress/regress-169445.js:
1325
1326 2018-09-26  Keith Miller  <keith_miller@apple.com>
1327
1328         We should zero unused property storage when rebalancing array storage.
1329         https://bugs.webkit.org/show_bug.cgi?id=188151
1330
1331         Reviewed by Michael Saboff.
1332
1333         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
1334
1335 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1336
1337         [JSC] Optimize Array#lastIndexOf
1338         https://bugs.webkit.org/show_bug.cgi?id=189780
1339
1340         Reviewed by Saam Barati.
1341
1342         * stress/array-lastindexof-array-prototype-trap.js: Added.
1343         (shouldBe):
1344         (AncestorArray.prototype.get 2):
1345         (AncestorArray):
1346         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
1347         (shouldBe):
1348         * stress/array-lastindexof-hole-nan.js: Added.
1349         (shouldBe):
1350         (throw.new.Error):
1351         * stress/array-lastindexof-infinity.js: Added.
1352         (shouldBe):
1353         (throw.new.Error):
1354         * stress/array-lastindexof-negative-zero.js: Added.
1355         (shouldBe):
1356         (throw.new.Error):
1357         * stress/array-lastindexof-own-getter.js: Added.
1358         (shouldBe):
1359         (throw.new.Error.get array):
1360         (get array):
1361         * stress/array-lastindexof-prototype-trap.js: Added.
1362         (shouldBe):
1363         (DerivedArray.prototype.get 2):
1364         (DerivedArray):
1365
1366 2018-09-25  Saam Barati  <sbarati@apple.com>
1367
1368         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
1369         https://bugs.webkit.org/show_bug.cgi?id=189940
1370         <rdar://problem/43640987>
1371
1372         Reviewed by Mark Lam.
1373
1374         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
1375
1376 2018-09-24  Saam Barati  <sbarati@apple.com>
1377
1378         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
1379         https://bugs.webkit.org/show_bug.cgi?id=189922
1380         <rdar://problem/44651275>
1381
1382         Reviewed by Mark Lam.
1383
1384         * stress/array-indexof-fast-path-effects.js: Added.
1385         * stress/array-indexof-cached-length.js: Added.
1386
1387 2018-09-24  Saam barati  <sbarati@apple.com>
1388
1389         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
1390         https://bugs.webkit.org/show_bug.cgi?id=189682
1391         <rdar://problem/43557315>
1392
1393         Reviewed by Mark Lam.
1394
1395         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
1396         (foo):
1397
1398 2018-09-22  Saam barati  <sbarati@apple.com>
1399
1400         The sampling should not use Strong<CodeBlock> in its machineLocation field
1401         https://bugs.webkit.org/show_bug.cgi?id=189319
1402
1403         Reviewed by Filip Pizlo.
1404
1405         * stress/sampling-profiler-richards.js: Added.
1406
1407 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1408
1409         [JSC] Optimize Array#indexOf in C++ runtime
1410         https://bugs.webkit.org/show_bug.cgi?id=189507
1411
1412         Reviewed by Saam Barati.
1413
1414         * stress/array-indexof-array-prototype-trap.js: Added.
1415         (shouldBe):
1416         (AncestorArray.prototype.get 2):
1417         (AncestorArray):
1418         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
1419         (shouldBe):
1420         * stress/array-indexof-hole-nan.js: Added.
1421         (shouldBe):
1422         (throw.new.Error):
1423         * stress/array-indexof-infinity.js: Added.
1424         (shouldBe):
1425         (throw.new.Error):
1426         * stress/array-indexof-negative-zero.js: Added.
1427         (shouldBe):
1428         (throw.new.Error):
1429         * stress/array-indexof-own-getter.js: Added.
1430         (shouldBe):
1431         (throw.new.Error.get array):
1432         (get array):
1433         * stress/array-indexof-prototype-trap.js: Added.
1434         (shouldBe):
1435         (DerivedArray.prototype.get 2):
1436         (DerivedArray):
1437
1438 2018-09-19  Saam barati  <sbarati@apple.com>
1439
1440         AI rule for MultiPutByOffset executes its effects in the wrong order
1441         https://bugs.webkit.org/show_bug.cgi?id=189757
1442         <rdar://problem/43535257>
1443
1444         Reviewed by Michael Saboff.
1445
1446         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
1447         (foo):
1448         (Foo):
1449         (g):
1450
1451 2018-09-17  Mark Lam  <mark.lam@apple.com>
1452
1453         Ensure that ForInContexts are invalidated if their loop local is over-written.
1454         https://bugs.webkit.org/show_bug.cgi?id=189571
1455         <rdar://problem/44402277>
1456
1457         Reviewed by Saam Barati.
1458
1459         * stress/regress-189571.js: Added.
1460
1461 2018-09-17  Saam barati  <sbarati@apple.com>
1462
1463         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
1464         https://bugs.webkit.org/show_bug.cgi?id=189676
1465         <rdar://problem/39682897>
1466
1467         Reviewed by Michael Saboff.
1468
1469         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
1470         (A):
1471         (K):
1472         (i.catch):
1473
1474 2018-09-14  Saam barati  <sbarati@apple.com>
1475
1476         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
1477         https://bugs.webkit.org/show_bug.cgi?id=189628
1478         <rdar://problem/39481690>
1479
1480         Reviewed by Mark Lam.
1481
1482         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
1483         (foo):
1484
1485 2018-09-11  Mark Lam  <mark.lam@apple.com>
1486
1487         Test for array initialization in arrayProtoFuncSplice.
1488         https://bugs.webkit.org/show_bug.cgi?id=170253
1489         <rdar://problem/31328773>
1490
1491         Rubber-stamped by Saam Barati.
1492
1493         * stress/regress-170253.js: Added.
1494
1495 2018-09-11  Mark Lam  <mark.lam@apple.com>
1496
1497         Test for IntlObject initialization.
1498         https://bugs.webkit.org/show_bug.cgi?id=170251
1499         <rdar://problem/31328419>
1500
1501         Rubber-stamped by Saam Barati.
1502
1503         * stress/regress-170251.js: Added.
1504
1505 2018-09-11  Mark Lam  <mark.lam@apple.com>
1506
1507         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
1508         https://bugs.webkit.org/show_bug.cgi?id=169889
1509         <rdar://problem/31155607>
1510
1511         Reviewed by Saam Barati.
1512
1513         * stress/regress-169889-array-concat.js: Added.
1514         * stress/regress-169889-array-concat1.js: Added.
1515         * stress/regress-169889-array-slice.js: Added.
1516
1517 2018-09-11  Mark Lam  <mark.lam@apple.com>
1518
1519         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
1520         https://bugs.webkit.org/show_bug.cgi?id=169445
1521         <rdar://problem/30957435>
1522
1523         Reviewed by Saam Barati.
1524
1525         * stress/regress-169445.js: Added.
1526         (let.gun.eval.A):
1527         (let.gun.eval.B.C):
1528         (let.gun.eval.B.C.prototype.trigger):
1529         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
1530         (let.gun.eval.B):
1531         (let.gun.eval):
1532
1533 == Rolled over to ChangeLog-2018-09-11 ==